Capital One: Convicted techie got in via 'misconfigured' AWS buckets
Assistant US attorney: 'She wanted data, she wanted money, and she wanted to brag'
Updated A former Seattle tech worker has been convicted of wire fraud and computer intrusions in a US federal district court.
The conviction follows the infamous 2019 hack of Capital One in which personal information of more than 100 million US and Canadian credit card applicants were swiped from the financial giant's misconfigured cloud-based storage.
Paige Thompson (aka "erratic") was arrested in July 2019 after data was leaked between March and July of that year. The data was submitted by credit card hopefuls between 2005 and early 2019, and Thompson was able to get into Capital One's AWS storage thanks to a "misconfigured web application firewall."
According to the original July 2019 complaint [PDF], Capital One received an email to its responsible disclosure address stating: "There appears to be some leaked s3 data of yours in someone's github /gist."
The complaint added: "Capital One determined that the April 21 file contained code for three commands, as well as a list of more than 700 folders or buckets of data."
Capital One then confirmed that they "matched the actual names of folders or buckets of data used by Capital One for data stored at the cloud company."
According to the US Attorney's office, Thompson used a tool to scan AWS accounts in search of misconfigurations. She then used the results to siphon data from more than 30 entities, including Capital One. "With some of her illegal access," wrote the office, "she planted cryptocurrency mining software on new servers with the income from the mining going to her online wallet."
Evidence from Thompson's own words in texts and online chats was used in the seven-day jury trial. The jury took 10 hours to come up with a verdict: guilty of wire fraud and five counts of unauthorized access to a protected computer and damaging a protected computer. Thompson was found not guilty of aggravated identity theft or access device fraud.
Sentencing is due on September 15, 2022.
- Jeff Bezos feels a tap on the shoulder. Ahem, Mr Amazon, care to explain how Capital One's AWS S3 buckets got hacked?
- Class-action sueball flung at Capital One and GitHub over theft of 106 million folks' details
- Watch as 10 cops with guns and military camo storm suspected Capital One hacker's house…
- Capital One gets Capital Done: Hacker swipes personal info on 106 million US, Canadian credit card applicants
As for Capital One, it was memorably slapped with a $80 million fine and settled customer lawsuits for $190 million following the leak. The Office of the Comptroller of the Currency (OCC), an independent bureau of the US Department of Treasury, took the Virginia-based bank to task over its shoddy security practices and applied for a cease and desist order against Capital One, forbidding it from "engaging in unsafe or unsound practices, including those relating to information security."
Quite an expensive misconfiguration, all told.
"Ms Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency," thundered US Attorney Nick Brown. "Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself."
"She wanted data, she wanted money, and she wanted to brag," Assistant United States Attorney Andrew Friedman said in closing arguments.
The Register contacted Thompson's lawyers for comment and will update should they respond. ®
Updated to add at 1446 UTC
- Advanced persistent threat
- Black Hat
- Bug Bounty
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Remote Access Trojan
- RSA Conference
- Trusted Platform Module
- Zero trust